CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 49/128 • 15328 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15328 CVEs for this tag (all time). In the last 365 days, 3832 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-06-13
Medium

CVE-2024-5951

Deep Sea Electronics DSE855 Factory Reset Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installatio…

CVSS: 6.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2024-38280

An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.

CVSS: 4.6 CWE: CWE-313 - Cleartext Storage in a File or on Disk View on NVD
Medium

CVE-2024-38279

The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes.

CVSS: 4.6 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2024-29169

Dell SCG, versions prior to 5.22.00.00, contain a SQL Injection Vulnerability in the SCG UI for an internal audit REST API. A remote authenticated attacker could potentially exploit this vulnerabilit…

CVSS: 5.4 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2024-22441

HPE Cray Parallel Application Launch Service (PALS) is subject to an authentication bypass.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2023-35860

A Directory Traversal vulnerability in Modern Campus - Omni CMS 2023.1 allows a remote, unauthenticated attacker to enumerate file system information via the dir parameter to listing.php or rss.php.

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2023-35858

XPath Injection vulnerabilities in the blog and RSS functions of Modern Campus - Omni CMS 2023.1 allow a remote, unauthenticated attacker to obtain application information.

CVSS: 5.3 CWE: CWE-91 - XML Injection (aka Blind XPath Injection) View on NVD
High

CVE-2024-37131

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, lead…

CVSS: 7.5 CWE: CWE-942 - Permissive Cross-domain Security Policy with Untrusted Domains View on NVD
Medium

CVE-2024-29168

Dell SCG, versions prior to 5.22.00.00, contain a SQL Injection Vulnerability in the SCG UI for an internal assets REST API. A remote authenticated attacker could potentially exploit this vulnerabili…

CVSS: 5.4 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2024-28969

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-28968

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs (if enabled by Admin user from UI). A…

CVSS: 5.4 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-28967

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal maintenance REST API (if enabled by Admin user from UI). A remote low privi…

CVSS: 5.4 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-28966

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged…

CVSS: 5.4 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-28965

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API (if enabled by Admin user from UI). A remote low privileged…

CVSS: 5.4 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-34113

ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the us…

CVSS: 5.5 CWE: CWE-261 - Weak Encoding for Password View on NVD
High

CVE-2024-34112

ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could exploit this vulnerability…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-30472

Telemetry Dashboard v1.0.0.8 for Dell ThinOS 2402 contains a sensitive information disclosure vulnerability. An unauthenticated user with local access to the device could exploit this vulnerability l…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2024-30299

Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit th…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2024-34106

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could expl…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2024-34104

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could lever…

CVSS: 8.2 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2024-34103

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit t…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2024-2098

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and includin…

CVSS: 7.5 CWE: CWE-289 - Authentication Bypass by Alternate Name View on NVD
2024-06-12
Critical

CVE-2024-37036

CWE-787: Out-of-bounds Write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2024-34065

Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before ve…

CVSS: 7.1 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
High

CVE-2024-28964

Dell Common Event Enabler, version 8.9.10.0 and prior, contain an insecure deserialization vulnerability in CAVATools. A local unauthenticated attacker could potentially exploit this vulnerability, l…

CVSS: 7.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-06-11
Critical

CVE-2024-2013

An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-au…

CVSS: 10.0 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-36266

A vulnerability has been identified in PowerSys (All versions < V3.11). The affected application insufficiently protects responses to authentication requests. This could allow a local attacker to byp…

CVSS: 9.3 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2024-35206

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected application does not expire the session. This could allow an attacker to get una…

CVSS: 7.7 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2024-4319

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and inc…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2024-36360

OS command injection vulnerability exists in awkblog v0.0.1 (commit hash:7b761b192d0e0dc3eef0f30630e00ece01c8d552) and earlier. If a remote unauthenticated attacker sends a specially crafted HTTP req…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2024-29855

Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator

CVSS: 9.0 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2024-34686

Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will b…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-28164

SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confident…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-06-10
Medium

CVE-2024-22279

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at sca…

CVSS: 5.9 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
Low

CVE-2024-36407

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attac…

CVSS: 3.7 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
Low

CVE-2024-35749

Authentication Bypass by Spoofing vulnerability in Acurax Under Construction / Maintenance Mode from Acurax allows Authentication Bypass.This issue affects Under Construction / Maintenance Mode from…

CVSS: 3.7 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2024-06-08
Medium

CVE-2024-4468

The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versio…

CVSS: 4.3 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
2024-06-07
Medium

CVE-2024-37162

zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. T…

CVSS: 4.0 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
High

CVE-2024-36787

An issue in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface via unspecified vectors.

CVSS: 8.8 CWE: CWE-1390 - Weak Authentication View on NVD
2024-06-06
Critical

CVE-2024-32752

The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated communications with ICU, which may allow an attacker to gain unauthorized access

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2024-5552

kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely e…

CVSS: 7.5 CWE: CWE-1333 - Inefficient Regular Expression Complexity View on NVD
Medium

CVE-2024-5248

In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict t…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-5225

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. The vulnerability arises due to improper neutralization of special elem…

CVSS: 7.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-5186

A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could res…

CVSS: 7.2 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2024-5128

An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update…

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2024-4890

A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' p…

CVSS: 4.9 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2024-3429

A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. This…

CVSS: 9.8 CWE: CWE-29 - Path Traversal: '..filename' View on NVD
Critical

CVE-2024-3408

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in th…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2024-3404

In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypas…

CVSS: 6.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2024-5127

In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended fo…

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-4325

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerabili…

CVSS: 8.6 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2024-37152

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authenti…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2024-5684

An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the pa…

CVSS: 6.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Medium

CVE-2024-5665

The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘export_settings’ function in versions…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-2017

The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the conditionsRow and switchCountdown functi…

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2023-6966

The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/…

CVSS: 8.1 CWE: CWE-284 - Improper Access Control View on NVD
2024-06-04
High

CVE-2024-4520

An improper access control vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically in version 20240410. This vulnerability allows any user on the server to access the chat hi…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-29170

Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability,…

CVSS: 8.1 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2023-52176

Authentication Bypass by Spoofing vulnerability in miniorange Malware Scanner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Malware Scanner: from n/a through 4.7.…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-51667

Authentication Bypass by Spoofing vulnerability in FeedbackWP Rate my Post – WP Rating System allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Rate my Post – WP Rati…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-51543

Authentication Bypass by Spoofing vulnerability in Metagauss RegistrationMagic allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects RegistrationMagic: from n/a through 5…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-51542

Authentication Bypass by Spoofing vulnerability in WPMU DEV Branda allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Branda: from n/a through 3.4.14.

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Low

CVE-2023-49741

Authentication Bypass by Spoofing vulnerability in wpdevart Coming soon and Maintenance mode allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coming soon and Mainten…

CVSS: 3.7 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-48753

Authentication Bypass by Spoofing vulnerability in 10up Restricted Site Access allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Restricted Site Access: from n/a thro…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-48271

Authentication Bypass by Spoofing vulnerability in yonifre Maspik – Spam blacklist allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Maspik – Spam blacklist: from n/a…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Low

CVE-2023-47769

Authentication Bypass by Spoofing vulnerability in WP Maintenance allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Maintenance: from n/a through 6.1.3.

CVSS: 3.7 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-41134

Authentication Bypass by Spoofing vulnerability in pluginkollektiv Antispam Bee allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Antispam Bee: from n/a through 2.11.…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-37865

Authentication Bypass by Spoofing vulnerability in IP2Location Download IP2Location Country Blocker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Download IP2Loca…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2024-4997

The WPUpper Share Buttons plugin for WordPress is vulnerable to unauthorized access of data when preparing sharing links for posts and pages in all versions up to, and including, 3.43. This makes it…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-3555

The Social Link Pages: link-in-bio landing pages for your social media profiles plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the import_link_pages()…

CVSS: 7.2 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-2019

The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' f…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-1717

The Admin Notices Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_ajax_call() function in all versions up to, and including,…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2024-4552

The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to insufficient verification on the user being s…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-29974

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions bef…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-29973

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(AB…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2024-29972

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2024-06-03
Critical

CVE-2024-34987

A SQL Injection vulnerability exists in the `ofrs/admin/index.php` script of PHPGurukul Online Fire Reporting System 1.2. The vulnerability allows attackers to bypass authentication and gain unauthor…

CVSS: 9.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2024-4332

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication…

CVSS: 9.3 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
Critical

CVE-2024-36042

Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access.

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2024-06-02
Critical

CVE-2024-36391

MileSight DeviceHub - CWE-320: Key Management Errors may allow Authentication Bypass and Man-In-The-Middle Traffic

CVSS: 9.1 CWE: CWE-320 View on NVD
Critical

CVE-2024-36389

MileSight DeviceHub - CWE-330 Use of Insufficiently Random Values may allow Authentication Bypass

CVSS: 9.8 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
High

CVE-2024-2178

A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows a…

CVSS: 7.5 CWE: CWE-29 - Path Traversal: '..filename' View on NVD
2024-06-01
High

CVE-2024-3821

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the w…

CVSS: 7.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-1324

The QQWorld Auto Save Images plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the save_remote_images_get_auto_saved_results() function hooked via…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-05-31
High

CVE-2024-29827

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-29826

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-29825

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-29824

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-29823

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-29822

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2024-36108

casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoi…

CVSS: 9.8 CWE: CWE-285 - Improper Authorization View on NVD
Critical

CVE-2024-23692

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary comm…

CVSS: 9.8 CWE: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine View on NVD
Medium

CVE-2024-4205

The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content() function in all versions up to, and…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-05-30
Critical

CVE-2024-2420

LenelS2 NetBox access control and event monitoring system was discovered to contain Hardcoded Credentials in versions prior to and including 5.6.1 which allows an attacker to bypass authentication re…

CVSS: 9.8 CWE: CWE-259 - Use of Hard-coded Password View on NVD
High

CVE-2024-35431

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions…

CVSS: 7.5 CWE: CWE-31 - Path Traversal: 'dir....filename' View on NVD
Medium

CVE-2024-4355

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the stopbadbo…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-3269

The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versions up to, and inclu…

CVSS: 5.4 CWE: CWE-285 - Improper Authorization View on NVD
2024-05-29
Medium

CVE-2024-35284

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due t…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-35283

A vulnerability in the Ignite component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a stored cross-site scripting (XSS) attack due to insuff…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2024-4358

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authenticatio…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2024-36470

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases

CVSS: 8.1 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2024-5204

The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an…

CVSS: 8.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-5150

The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2024-05-28
Medium

CVE-2024-5433

The Campbell Scientific CSI Web Server supports a command that will return the most recent file that matches a given expression. A specially crafted expression can lead to a path traversal vulnerabil…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2024-21785

A leftover debug code vulnerability exists in the Telnet Diagnostic Interface functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted series of network requests can lead to unauthoriz…

CVSS: 9.8 CWE: CWE-489 - Active Debug Code View on NVD
High

CVE-2024-29078

Incorrect permission assignment for critical resource issue exists in MosP kintai kanri V4.6.6 and earlier, which may allow a remote unauthenticated attacker with access to the product to alter the p…

CVSS: 7.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2024-05-27
Medium

CVE-2024-36105

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `IN…

CVSS: 5.3 CWE: CWE-1327 - Binding to an Unrestricted IP Address View on NVD
High

CVE-2024-5035

The affected device expose a network service called "rftest" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, r…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2024-05-24
Critical

CVE-2024-4544

The Pie Register - Social Sites Login (Add on) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.7. This is due to insufficient verification on the use…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2024-05-23
Critical

CVE-2024-5296

D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View.…

CVSS: 9.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Critical

CVE-2024-5168

Improper access control vulnerability in Prodys' Quantum Audio codec affecting versions 2.3.4t and below. This vulnerability could allow an unauthenticated user to bypass authentication entirely and…

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-1803

The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of…

CVSS: 4.3 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2024-2038

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use…

CVSS: 7.5 CWE: CWE-259 - Use of Hard-coded Password View on NVD
High

CVE-2024-4388

This does not validate a path generated with user input when downloading files, allowing unauthenticated user to download arbitrary files from the server

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2024-3626

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capa…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-6325

The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the export_entries, rtformnewform, and rtformup…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-05-22
High

CVE-2024-29853

An authentication bypass vulnerability in Veeam Agent for Microsoft Windows allows for local privilege escalation.

CVSS: 7.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2024-2036

The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all vers…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-3663

The WP Scraper plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_scraper_multi_scrape_action() function in all versions up to, and including, 5.7.…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-31340

TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo versions prior to 3.3.6 do not properly validate certificates, which may allow a remote unauthenticated attacker to eavesdrop on an encrypted…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD